Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Published: 2026-03-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Full application compromise through database replacement
Action: Immediate Patch
AI Analysis

Impact

An improper access control flaw in MyTube allows an attacker with low‑privilege credentials to invoke the "/api/settings/import-database" endpoint via POST requests. The endpoint accepts an uploaded SQLite database and replaces the existing application database without proper authorization checks. Because the database contains all application data and configuration, the attacker effectively gains complete control of the application, including modifying settings, uploading content, and possibly executing arbitrary code. The weakness is a classic example of forbidden resource injection and privilege escalation (CWE‑285 and CWE‑639).

Affected Systems

The vulnerability affects the MyTube application distributed by franklioxygen. Any deployment running a version prior to 1.8.69 is vulnerable. Version 1.8.69 and later contain a fix that enforces proper role‑based access control for the import endpoint and related POST routes.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, reflecting the possibility of full compromise. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, implying it may be an emerging threat. The attack requires only authenticated access to a low‑privilege account and an HTTP POST to the vulnerable endpoint, making it relatively easy to exploit in a compromised or open environment. Immediate remediation is recommended to prevent potential data loss or takeover.

Generated by OpenCVE AI on March 27, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MyTube release 1.8.69 or newer to remove the flaw
  • If an update is not yet available, configure the web server or application to block or restrict access to the "/api/settings/import-database" endpoint for non‑admin users
  • Actively monitor web‑application logs for unexpected POST requests to the import endpoint
  • Verify and monitor the integrity of the SQLite database file to detect unauthorized replacements

Generated by OpenCVE AI on March 27, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Title MyTube has an Improper Access Control that Allows Complete Application Takeover
Weaknesses CWE-285
CWE-639
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:50:13.478Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33735

cve-icon Vulnrichment

Updated: 2026-03-27T13:19:48.727Z

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:20.840

Modified: 2026-03-27T15:16:56.527

Link: CVE-2026-33735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:30Z

Weaknesses